395 lines
9.4 KiB
Groff
395 lines
9.4 KiB
Groff
.\" $NetBSD: login.conf.5,v 1.19 2006/06/17 04:58:14 reed Exp $
|
|
.\"
|
|
.\" Copyright (c) 1995,1996,1997 Berkeley Software Design, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by Berkeley Software Design,
|
|
.\" Inc.
|
|
.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse
|
|
.\" or promote products derived from this software without specific prior
|
|
.\" written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" BSDI login.conf.5,v 2.19 1998/02/19 23:39:39 prb Exp
|
|
.\"
|
|
.Dd April 19, 2004
|
|
.Dt LOGIN.CONF 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm login.conf
|
|
.Nd login class capability data base
|
|
.Sh SYNOPSIS
|
|
.Nm login.conf
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm login.conf
|
|
file describes the various attributes of login classes.
|
|
A login class determines what styles of authentication are available
|
|
as well as session resource limits and environment setup.
|
|
While designed primarily for the
|
|
.Xr login 1
|
|
program,
|
|
it is also used by other programs, e.g.,
|
|
.Xr rexecd 8 ,
|
|
which need to set up a user environment.
|
|
.Pp
|
|
The class to be used is normally determined by the
|
|
.Li class
|
|
field in the password file (see
|
|
.Xr passwd 5 ) .
|
|
The class is used to look up a corresponding entry in the
|
|
.Pa login.conf
|
|
file.
|
|
A special class called
|
|
.Dq default
|
|
will be used (if it exists) if the field in the password file is empty.
|
|
.Sh CAPABILITIES
|
|
Refer to
|
|
.Xr getcap 3
|
|
for a description of the file layout.
|
|
An example entry is:
|
|
.Bd -literal -offset indent
|
|
classname|Description entry:\\
|
|
:capability=value:\\
|
|
:booleancapability:\\
|
|
\&.\&.\&.
|
|
:lastcapability=value:
|
|
.Ed
|
|
.Pp
|
|
All entries in the
|
|
.Nm login.conf
|
|
file are either boolean or use a `=' to separate the capability
|
|
from the value.
|
|
The types are described after the capability table.
|
|
.Bl -column minpasswordlen program default
|
|
.Sy Name Type Default Description
|
|
.\"
|
|
.sp
|
|
.It Sy copyright Ta file Ta "" Ta
|
|
File containing additional copyright information.
|
|
.\"
|
|
.sp
|
|
.It Sy coredumpsize Ta size Ta "" Ta
|
|
Maximum coredump size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy cputime Ta time Ta "" Ta
|
|
CPU usage limit.
|
|
.\"
|
|
.sp
|
|
.It Sy datasize Ta size Ta "" Ta
|
|
Maximum data size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy filesize Ta size Ta "" Ta
|
|
Maximum file size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy host.allow Ta string Ta "" Ta
|
|
A comma-separated list of host name or IP address patterns
|
|
from which a class is allowed access.
|
|
Access is instead denied from any hosts preceded
|
|
by
|
|
.Sq Li \&! .
|
|
Patterns can contain the
|
|
.Xr sh 1 -style
|
|
.Sq Li *
|
|
and
|
|
.Sq Li \&?
|
|
wildcards.
|
|
The
|
|
.Sy host.deny
|
|
entry is checked before
|
|
.Sy host.allow .
|
|
(Currently used only by
|
|
.Xr sshd 8 . )
|
|
.\"
|
|
.sp
|
|
.It Sy host.deny Ta string Ta "" Ta
|
|
A comma-separated list of host name or IP address patterns
|
|
from which a class is denied access.
|
|
Patterns as per
|
|
.Sy host.allow ,
|
|
although a matched pattern that has been negated with
|
|
.Sq Li \&!
|
|
is ignored.
|
|
(Currently used only by
|
|
.Xr sshd 8 . )
|
|
.\"
|
|
.sp
|
|
.It Sy hushlogin Ta bool Ta Li false Ta
|
|
Same as having a
|
|
.Pa $HOME/.hushlogin
|
|
file.
|
|
See
|
|
.Xr login 1 .
|
|
.\"
|
|
.sp
|
|
.It Sy ignorenologin Ta bool Ta Li false Ta
|
|
Not affected by
|
|
.Pa nologin
|
|
files.
|
|
.\"
|
|
.sp
|
|
.It Sy login-retries Ta number Ta 10 Ta
|
|
Maximum number of login attempts allowed.
|
|
.\"
|
|
.sp
|
|
.It Sy login-backoff Ta number Ta 3 Ta
|
|
Number of login attempts after which to start random back-off.
|
|
.\"
|
|
.sp
|
|
.It Sy maxproc Ta number Ta "" Ta
|
|
Maximum number of process.
|
|
.\"
|
|
.sp
|
|
.It Sy memorylocked Ta size Ta "" Ta
|
|
Maximum locked in core memory size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy memoryuse Ta size Ta "" Ta
|
|
Maximum in core memoryuse size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy minpasswordlen Ta number Ta "" Ta
|
|
The minimum length a local password may be.
|
|
Used by the
|
|
.Xr passwd 1
|
|
utility.
|
|
.\"
|
|
.sp
|
|
.It Sy nologin Ta file Ta "" Ta
|
|
If the file exists it will be displayed
|
|
and the login session will be terminated.
|
|
.\"
|
|
.sp
|
|
.It Sy openfiles Ta number Ta "" Ta
|
|
Maximum number of open file descriptors per process.
|
|
.\"
|
|
.\"XX .sp
|
|
.\"XX .It Sy password-dead Ta time Ta Li 0 Ta
|
|
.\"XX Length of time a password may be expired but not quite dead yet.
|
|
.\"XX When set (for both the client and remote server machine when doing
|
|
.\"XX remote authentication), a user is allowed to log in just one more
|
|
.\"XX time after their password (but not account) has expired. This allows
|
|
.\"XX a grace period for updating their password.
|
|
.\"
|
|
.sp
|
|
.It Sy passwordtime Ta time Ta "" Ta
|
|
Used by
|
|
.Xr passwd 1
|
|
to set next password expiry date.
|
|
.\"
|
|
.sp
|
|
.It Sy password-warn Ta time Ta Li 2w Ta
|
|
If the user's password will expire within this length of time then
|
|
warn the user of this.
|
|
.\"
|
|
.sp
|
|
.It Sy path Ta path Ta Li "/bin /usr/bin" Ta
|
|
.br
|
|
Default search path.
|
|
.\"
|
|
.sp
|
|
.It Sy priority Ta number Ta "" Ta
|
|
Initial priority (nice) level.
|
|
.\"
|
|
.sp
|
|
.It Sy requirehome Ta bool Ta Li false Ta
|
|
Require home directory to login.
|
|
.\"
|
|
.sp
|
|
.It Sy sbsize Ta size Ta "" Ta
|
|
Maximum socket buffer size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy setenv Ta list Ta "" Ta
|
|
Comma separated list of environment variables and values to be set.
|
|
.\"
|
|
.sp
|
|
.It Sy shell Ta program Ta "" Ta
|
|
Session shell to execute rather than the shell specified in the password file.
|
|
The
|
|
.Ev SHELL
|
|
environment variable will contain the shell specified in the password file.
|
|
.\"
|
|
.sp
|
|
.It Sy stacksize Ta size Ta "" Ta
|
|
Maximum stack size limit.
|
|
.\"
|
|
.sp
|
|
.It Sy tc Ta string Ta "" Ta
|
|
A "continuation" entry, which must be the last capability provided.
|
|
More capabilities are read from the named entry.
|
|
The capabilities given before
|
|
.Sy tc
|
|
override those in the entry invoked by
|
|
.Sy tc .
|
|
.\"
|
|
.sp
|
|
.It Sy term Ta string Ta Li su Ta
|
|
Default terminal type if not able to determine from other means.
|
|
.\"
|
|
.sp
|
|
.It Sy umask Ta number Ta Li 022 Ta
|
|
Initial umask.
|
|
Should always have a leading
|
|
.Li 0
|
|
to assure octal interpretation.
|
|
See
|
|
.Xr umask 2 .
|
|
.\"
|
|
.sp
|
|
.It Sy welcome Ta file Ta Li /etc/motd Ta
|
|
File containing welcome message.
|
|
.El
|
|
.Pp
|
|
The resource limit entries
|
|
.Sy ( coredumpsize ,
|
|
.Sy cputime ,
|
|
.Sy datasize ,
|
|
.Sy filesize ,
|
|
.Sy maxproc ,
|
|
.Sy memorylocked ,
|
|
.Sy memoryuse ,
|
|
.Sy openfiles ,
|
|
.Sy sbsize ,
|
|
and
|
|
.Sy stacksize )
|
|
actually specify both the maximum and current limits (see
|
|
.Xr getrlimit 2 ) .
|
|
The current limit is the one normally used,
|
|
although the user is permitted to increase the current limit to the
|
|
maximum limit.
|
|
The maximum and current limits may be specified individually by appending
|
|
a
|
|
.Sq Sy \-max
|
|
or
|
|
.Sq Sy \-cur
|
|
to the capability name (e.g.,
|
|
.Sy openfiles-max
|
|
and
|
|
.Sy openfiles-cur Ns No ) .
|
|
.Pp
|
|
.Nx
|
|
will never define capabilities which start with
|
|
.Li x-
|
|
or
|
|
.Li X- ,
|
|
these are reserved for external use (unless included through contributed
|
|
software).
|
|
.Pp
|
|
The argument types are defined as:
|
|
.Bl -tag -width programxx
|
|
.\"
|
|
.It Sy file
|
|
Path name to a text file.
|
|
.\"
|
|
.It Sy list
|
|
A comma separated list of values.
|
|
.\"
|
|
.It Sy number
|
|
A number. A leading
|
|
.Li 0x
|
|
implies the number is expressed in hexadecimal.
|
|
A leading
|
|
.Li 0
|
|
implies the number is expressed in octal.
|
|
Any other number is treated as decimal.
|
|
.\"
|
|
.It Sy path
|
|
A space separated list of path names.
|
|
If a
|
|
.Sq Li ~
|
|
is the first character in the path name, the
|
|
.Sq Li ~
|
|
is expanded to the user's home directory.
|
|
.\"
|
|
.It Sy program
|
|
A path name to program.
|
|
.\"
|
|
.It Sy size
|
|
A number which expresses a size in bytes.
|
|
It may have a trailing
|
|
.Li b
|
|
to multiply the value by 512, a
|
|
.Li k
|
|
to multiply the value by 1 K (1024), and a
|
|
.Li m
|
|
to multiply the value by 1 M (1048576).
|
|
.\"
|
|
.It Sy time
|
|
A time in seconds.
|
|
A time may be expressed as a series of numbers
|
|
which are added together.
|
|
Each number may have a trailing character to
|
|
represent time units:
|
|
.Bl -tag -width xxx
|
|
.\"
|
|
.It Sy y
|
|
Indicates a number of 365 day years.
|
|
.\"
|
|
.It Sy w
|
|
Indicates a number of 7 day weeks.
|
|
.\"
|
|
.It Sy d
|
|
Indicates a number of 24 hour days.
|
|
.\"
|
|
.It Sy h
|
|
Indicates a number of 60 minute hours.
|
|
.\"
|
|
.It Sy m
|
|
Indicates a number of 60 second minutes.
|
|
.\"
|
|
.It Sy s
|
|
Indicates a number of seconds.
|
|
.El
|
|
.Pp
|
|
For example, to indicate 1 and 1/2 hours, the following string
|
|
could be used:
|
|
.Li 1h30m .
|
|
.El
|
|
.\"
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/login.conf.db -compact
|
|
.It Pa /etc/login.conf
|
|
login class capability database
|
|
.It Pa /etc/login.conf.db
|
|
hashed database built with
|
|
.Xr cap_mkdb 1
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr cap_mkdb 1 ,
|
|
.Xr login 1 ,
|
|
.Xr getcap 3 ,
|
|
.Xr login_cap 3 ,
|
|
.Xr ttys 5 ,
|
|
.Xr ftpd 8 ,
|
|
.Xr sshd 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
configuration file appeared in
|
|
.Nx 1.5 .
|